GHSA-fqqv-56h5-f57g: PocketMine-MP `ResourcePackDataInfoPacket` amplification vulnerability due to lack of resource pack sequence status checking
A denial-of-service / out-of-memory vulnerability exists in the STATUS_SEND_PACKS handling of ResourcePackClientResponsePacket.
PocketMine-MP processes the packIds array without verifying that all entries are unique.
A malicious (non-standard) Bedrock client can send multiple duplicate valid pack UUIDs in the same STATUS_SEND_PACKS packet, causing the server to send the same pack multiple times. This can quickly exhaust memory and crash the server.
Severity: High — Remote DoS from an authenticated client.
References
- github.com/advisories/GHSA-fqqv-56h5-f57g
- github.com/pmmp/PocketMine-MP
- github.com/pmmp/PocketMine-MP/commit/c417ecd30d20520227b15e09eda87db492ab0a6a
- github.com/pmmp/PocketMine-MP/commit/e375437439df51f7862b6b98318394643fcd6724
- github.com/pmmp/PocketMine-MP/releases/tag/5.32.1
- github.com/pmmp/PocketMine-MP/security/advisories/GHSA-fqqv-56h5-f57g
Code Behaviors & Features
Detect and mitigate GHSA-fqqv-56h5-f57g with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →